Collector/DVR

Run the Sniffer in Collector / "DVR" Mode

"Collect" mode causes the sniffer to write messages about packets and snort alerts to disk for retrieval later by the Collector Feed. The data is stored chronologically, in compressed form; the Collector Feed allows you to pull a specific time range of data from storage and load it into the console. Collect mode is like a flight recorder for the network the sniffer is plugged into.

1) Create key pairs for server and client, using the following commands:

"snortcommand=" will cause the sniffer to not run snort; put your snort command in here, making sure to include "-A console", to have the sniffer run a snort process in order to monitor alerts.

"storagepath=c:\\sniffdata" tells the sniffer to store files in c:\sniffdata (to specify a backslash in a properties file, type two backslashes in a row). The storagepath property is required in order to run collect mode.

"minfreespace=100000000" tells the sniffer to purge the oldest data any time the amount of free space on the disk is less than 1000MB. Default value is 250000000.

- Put the hubserver.jks keystore file into the .deepnode directory.

- Run the sniffer with the commandline parameter "collect" to prevent it from opening a dialog window, to make it listen for connections from clients, and to make it store data on disk; with this option, the sniffer will start monitoring as soon as it is run. The command to run the sniffer will be something like this:

- Configure it with the address of the server you are monitoring as "hub address", and the listen port you gave the sniffer, as "hub port".

- Place the hubclient.jks keystore file into the .deepnode directory within your home directory.

- Set the start and end fields to the date/time values that define the range of data you want to load into the console; all events (packets and snort alerts) that happened between these two date/times, will be retrieved. Format is yyyy-MM-dd HH:mm.

4) Launch the Console. The collector feed will connect to it, connect to the sniffer, and begin streaming data.